The consequences of a wide array of malware programs, which are present today, have led to perilous incidents that induced serious damage not only to users’ assets, but also to the internet’s infrastructure. This is notably the case with botnets, which represent networks of compromised machines that are remotely controlled by botmasters to perform various forms of nefarious activities. By far, botnets are considered the most serious cyber-threats available today and are used to carry out distributed denial of service (DDoS) attacks, spamming, phishing of sensitive personal data and click fraud, leading to billions of dollars worth of annual damage. As such, countermeasures against botnets have become a pressing need and have recently attracted considerable research efforts and operational attention.
A botnet is different from other forms of intrusion malware in two main aspects; Firstly, a botnet is goal directed, e.g. generating monetary profits via silent mining of cryptocurrencies and provision of spamming and DDoS services to clients who choose to resort to botnets. Secondly, it operates within a Command and Control (C&C) framework; a botmaster (creator of the botnet) communicates with bots (compromised and controlled host machines) through C&C channels to force them to participate in the intrusion campaigns. A botnet is created and managed in multiple stages including C&C server rallying, probe and exploitation, self-update and synchronization, in addition to a wide array of malicious activities.
Detection of Internet Traffic Related to Botnets:
The difficulty in detection of traffic associated with botnet activities has fueled research studies aiming at accurate detection of botnet related traffic and hence, identifying the location of botnets and their C&C servers across operational networks. Known approaches for the detection of botnet related traffic fall into one of four groups:
- Employing fine grained analysis e.g. deep packet inspection (DPI) to identify communications associated with botnets.
- Given the fact that a large percentage of botnets rely on Internet Relay Chat (IRC) channels and exhibit distinctive features that are different from normal IRC traffic, IRC detection methods are used to identify botnet related traffic.
- DNS related approaches which focus on the regularities of various DNS queries to detect traffic associated with botnets by detection of anomalies on the temporal intensity, similarity and periodicity of compromised hosts which query the same domain.
- The last approach includes methods that combine two or more of the above approaches to yield a more comprehensive analysis.
Utilizing the Darknet to Identify Botnet Related Internet Traffic:
A recently published paper proposed a brand new approach to identify botnet related traffic from a totally new perspective. The analysis is performed using data obtained from unused parts of the world wide web, mainly, a darknet, which presents a universal overview of various cyber threats in the internet with somehow inexpensive monitoring costs. The proposed monitoring approach is mainly centered upon powerful temporal coincidence of various probing activities, secondary to the coordinated behavioral features of bots. Executed in a framework which is comprised of two stages, it can not only identify the grouped activities and associated traffic of bots in short durations, but also detect individual host machines that participate in the campaigns with high levels of accuracy.
The experiments carried out in this study involved evaluation of Active Epoch (AE) detection and classifier on datasets which were obtained from various destination ports of a pair of class-B darknet sensors which were hosted by NICTER. All probing hosts detected on the darknet were grouped on the basis of network services, which were probed by the hosts. Thereafter, the data was manually labeled regarding the hosts and AEs that participated in the botnet campaigns.
To sum up, botnet activities and botnet related traffic lead to high temporal coincidence that can be observed in the darknet. The authors of the paper proposed a novel abrupt change detection algorithm that can easily identify botnet probe campaigns with high levels of accuracy. As per the research’s experiments for detection of botnet campaigns, temporal features, which quantify the coincidence between host machines, prove to convey important discriminate information to discriminate hosts that participate in the botnet probes from the remainder. The authors of the paper planned, in their future work, to utilize the valuable information concluded from this research study in “knocking out” botnets as well as managing host reputation across the internet.